{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40778", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:20:36.793Z", "datePublished": "2026-04-15T10:21:35.665Z", "dateUpdated": "2026-04-15T10:21:35.665Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "majestic-support", "product": "Majestic Support", "vendor": "Majestic Support", "versions": [{"changes": [{"at": "1.1.3", "status": "unaffected"}], "lessThanOrEqual": "1.1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Herman | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:48.096Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Majestic Support Majestic Support majestic-support allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Majestic Support: from n/a through <= 1.1.2.</p>"}], "value": "Missing Authorization vulnerability in Majestic Support Majestic Support majestic-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Majestic Support: from n/a through <= 1.1.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:35.665Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/majestic-support/vulnerability/wordpress-majestic-support-plugin-1-1-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Majestic Support plugin <= 1.1.2 - Broken Access Control vulnerability"}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.1.3,*]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Majestic Support", "source": "cna", "vendor": "Majestic Support"}, "product": "majestic_support", "vendor": "majesticsupport"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T11:21:47.576979+00:00", "value": {"mitigation_remediation": ["Update the Majestic Support plugin to version 1.1.3 or newer to remove the missing authorization flaw.", "If an upgrade cannot be performed immediately, disable or uninstall the plugin to block unauthenticated access to its functions.", "Apply role\u2011based access control or configuration changes that limit the capabilities exposed by the plugin to only trusted user roles.", "Configure monitoring of WordPress logs to detect any ongoing unauthorized attempts to access the plugin\u2019s protected features."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All installations of the Majestic Support WordPress plugin with version 1.1.2 or older are affected. No minimum version is specified; the vulnerability exists across all releases up to and including 1.1.2.", "description_and_impact": "Missing Authorization vulnerability in Majestic Support plugin allows exploitation of incorrectly configured access control security levels. The flaw permits users without proper authorization to access plugin functions that should be restricted, potentially allowing unauthorized manipulation of support tickets or other plugin features.", "risk_and_exploitability": "The CVSS score is unavailable, and EPSS data is not provided, meaning the exact severity and likelihood of exploitation are not quantified. The vulnerability is likely accessible remotely through HTTP requests to the plugin\u2019s endpoints. Based on the description, the attack vector is inferred to be web\u2011based, requiring an authenticated or unauthenticated user to send crafted requests that bypass the plugin\u2019s access checks. The flaw is classified as a privilege escalation (CWE\u2011862)."}}}}, "created": "2026-04-15T13:38:17.785790+00:00", "updated": "2026-04-15T13:38:28.756202+00:00", "vendors": ["majesticsupport", "majesticsupport$PRODUCT$majestic_support", "wordpress", "wordpress$PRODUCT$wordpress"]}